topic yes thank you kanwaljeet I in Network Security

Migration from PIX 6.0 to ASA 9.0

usman ali dar — Tue, 12 Mar 2019 05:49:36 GMT

we have an old pix that we are migrating to ASA 9.0 everything seems good regarding configuration's and migration of all services, the issue I am facing is that I have some or many applications that is stick to the interface ip because it is dynamically NATTED outside in old days and now when all the migrations can be done but not that IP it might break many application services or issue which is not good.

any suggestions or ideas how can I work around with this..?

any thoughts if I change the outside ip of new firewall ASA with Old firewall Outside IP what will happen to ASA or I should not do that ?

I cannot create another or sub interface because the new firewall and the old firewall is in the same subnet.....

old firewall 192.168.100.1/24

new firewall 192.168.100.2/24

I think I cannot also use secondary ip address option on the ASA......

The only option or solution that I can think of is use the outside interface IP of the old PIX and use it to NAT dynamically all of the objects and object-groups that is actually natted in PIX and get the routing configured for that outside ip towards new ASA .....however this is just a thought .....

any suggestions please...

Hi Usman,You can use the PIX

Kanwaljeet Singh — Thu, 23 Apr 2015 17:24:40 GMT

Hi Usman,

You can use the PIX outside IP and create NAT rules on ASA. Just ensure that routing is fine and ASA will nat the traffic. You don't need to assign the IP on an interface.

Also, depending upon your requirement you can even assign it on outside interface but then existing rules on ASA would be impacted too. If you don't want that, just nat the network with IP that is on PIX(and now asa will answer arp for it), take care of the routing and shut down pix interface and everything should be fine.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi Usman,You can use the PIX

Kanwaljeet Singh — Thu, 23 Apr 2015 17:26:56 GMT

Hi Usman,

You can use the PIX ip on your new ASA(create object) and use it for NAT. No need to define it on the interface. ASA will nat it and answer arp for this IP. Depending upon your requirement you can even use the PIX IP on outside interface but your existing rules will be impacted too. Clear xlate if you chose the latter and it should work fine. If you chose the former ensure that routing is properly taken care of and it should work just fine.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

yes thank you kanwaljeet I

usman ali dar — Thu, 23 Apr 2015 17:56:09 GMT

yes thank you kanwaljeet I agree with you regarding having a NAT instead of replacing the Outside ip because I will have to then change many other things inclusive of routing and arp tables so it would be very good to have the object and nat all the required subnets to the PIX outside ip with static route on edge router.....

for the arp table I should only clear the arp table on all the devices or simply on core and edge device would be suffice....

regards